This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Edu_Amores
Explorer
‎2019-09-27 03:09 AM

PBR Bug - Cannot delete it

Hello all,

 

I am having an issue with a Security Gateway (R80.10, build number 1) to delete a Policy Rule. I have tried to delete is from GUI and CLI but it is still listed in Expert Mode:

 

[Expert@GW1:0]# ip rule list
19: from 192.168.50.0/29 lookup 9 hit 90788   <---- 

Weirdest thing is that if I add a new Policy Rule with ID 19, the old one Policy Rule which should be deleted still appear there:

 

[Expert@GW1:0]# ip rule list
19: from 192.168.50.0/29 lookup 9 hit 90788
19: from 192.168.80.0/25 lookup 9

Can you please tell me if there is a way to delete this Policy Rule from the Expert mode directly (this Policy Rule is aleready deleted from GUI/CLI)?.  Thank you very much.

 

Best Regards.

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-09-27 07:33 PM

If the clish command isn't properly removing the route, it's likely a bug and you should probably open a TAC case.
0 Kudos
Tiago_Cerqueira
Contributor
‎2020-05-23 04:27 AM
In response to PhoneBoy

Hi guys,

Just to chime in, ran into this issue today. Tried deleting the PBR rules, then cpstop;cpstart, and ip rule list still showed the wrong rules. A little bit expected, as restarting the cp daemons shouldn't affect the inner working of the system in this case.

Was tempted to remove it manually via the ip command, but since that's generally not advisable and as this had a maintenance window, I rebooted the node and everything is fine now.

This was under R80.20 take 141

0 Kudos
rdevarak
Employee
Employee
‎2020-05-24 04:06 PM

There are multiple parts to the problem. Leaving PBR rule in the kernel happens whenever user tried to delete it and it is deleted from the configuration database as well as from routed.conf  but  the back-end process 'routed' didn’t get a chance to delete it from the kernel. Mostly routed is crashed or something went wrong with the routed.conf file.

Once the system is in the weird state, here is the suggested approach:

  1.        Check the config system with ‘dbget  –arv  routed:instance:default:pbrrules”, if it doesn’t exists then
  2.        Check with “ip rule list”, if it exists only way to remove is using ‘ip   rule delete’ command or 
  3.        Reboot the system to reset the PBR rules in the kernel.

 

We need to find out the root cause of routed crash and this is only a side effect.  This can happen with any other feature also.

Since you are able to add PBR rule later, mostly something to do with some other configuration that you have done along with PBR configuration.

If the problem still persists, you can upgrade to new JHF or release. You can also open a ticket with TAC for further help.

-Raghu

0 Kudos
Tiago_Cerqueira
Contributor
‎2020-05-25 12:52 AM
In response to rdevarak

Hi,

I actually viewed the state of routed, via the cpwd_admin list and show cluster-state and it seemed that everything was fine. Additionally, there were no core dumps under the /var/log/dumps

0 Kudos
rdevarak
Employee
Employee
‎2020-05-26 02:09 PM
In response to Tiago_Cerqueira

In some scenarios, routed just restarts without dumping core. You will get to know from syslog messages. You can see the process id also changes. You can open a ticket with TAC, still if you need help with it.

0 Kudos
AllenSaldanha
Explorer
‎2024-10-31 07:56 AM

I managed to solve my problem by deleting it from the rule list with the command below:

ip rule del from <ip> lookup <id>

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top